2018-09-04 - QUICK POST: HANCITOR MALSPAM USES PDF ATTACHMENT
ASSOCIATED FILES:
- 2018-09-04-Hancitor-malspam-example.eml.zip 125 kB (125,192 bytes)
- 2018-09-04-Hancitor-malspam-infection-traffic.pcap.zip 2.4 MB (2,378,935 bytes)
- 2018-09-04-malware-from-Hancitor-malspam-infection.zip 433 kB (433,440 bytes)
NOTES:
- Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
- Hancitor malspam was using PDF attachments today, instead of links in the message text to download the malicious Word doc.
- Instead, the PDF attachments had a link to the Word doc.
- Time to update the flow chart....
Shown above: Chain of events for today's Hancitor malspam infection.
IMAGES
Shown above: Screenshot of an email from today's wave of Hancitor malspam.
Shown above: PDF attachment from the malspam.
Shown above: After downloading the Word doc, enable macros to infect a vulnerable Windows host.
Shown above: Traffic from the infection filtered in Wireshark.
Click here to return to the main page.